From b8293bb6a266884ca57ff26179ef96c3f6298511 Mon Sep 17 00:00:00 2001 From: Javi Fontan Date: Fri, 10 Feb 2017 18:40:11 +0100 Subject: [PATCH] B #5017: fix IPv6 secgroups for specific networks Also takes into account mixed networks (IPv4+IPv6) --- src/vnm_mad/remotes/lib/security_groups.rb | 22 ++++++--- .../remotes/lib/security_groups_iptables.rb | 48 +++++++++++-------- 2 files changed, 43 insertions(+), 27 deletions(-) diff --git a/src/vnm_mad/remotes/lib/security_groups.rb b/src/vnm_mad/remotes/lib/security_groups.rb index 40867de70a..c11bf338c6 100644 --- a/src/vnm_mad/remotes/lib/security_groups.rb +++ b/src/vnm_mad/remotes/lib/security_groups.rb @@ -68,10 +68,12 @@ module VNMNetwork @icmp_type = @rule[:icmp_type] @icmpv6_type = @rule[:icmpv6_type] - @range = @rule[:range] - @ip = @rule[:ip] - @size = @rule[:size] - @type = set_type + @range = @rule[:range] + @ip = @rule[:ip] + @ip6_global = @rule[:ip6_global] + @ip6_ula = @rule[:ip6_ula] + @size = @rule[:size] + @type = set_type end # Process the rule and generates the associated commands of the rule @@ -108,9 +110,17 @@ module VNMNetwork # Return the network blocks associated to the rule # @return [Array] each network block in CIDR. def net - return [] if @ip.nil? || @size.nil? + nets = [] - VNMNetwork::to_nets(@ip, @size.to_i) + if @ip && @size + nets += VNMNetwork::to_nets(@ip, @size.to_i) + elsif @ip6_global && @size + nets += VNMNetwork::to_nets(@ip6_global, @size.to_i) + elsif @ip6_ula && @size + nets += VNMNetwork::to_nets(@ip6_ula, @size.to_i) + end + + return nets end # Expand the ICMP type with associated codes if any diff --git a/src/vnm_mad/remotes/lib/security_groups_iptables.rb b/src/vnm_mad/remotes/lib/security_groups_iptables.rb index 36b41232a7..c8540750f9 100644 --- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb +++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb @@ -81,29 +81,35 @@ module SGIPTables return if the_nets.empty? - if IPAddr.new(the_nets[0]).ipv6? - command = :ip6tables - family = "inet6" - else - command = :iptables - family = "inet" - end - - if @rule_type == :inbound - chain = vars[:chain_in] - set = "#{vars[:set_sg_in]}-#{@protocol}-n-#{family}" - dir = "src" - else - chain = vars[:chain_out] - set = "#{vars[:set_sg_out]}-#{@protocol}-n-#{family}" - dir = "dst" - end - - cmds.add :ipset, "create #{set} hash:net family #{family}" - cmds.add command, "-A #{chain} -p #{@protocol} -m set" \ - " --match-set #{set} #{dir} -j RETURN" + sets = [] the_nets.each do |n| + if IPAddr.new(the_nets[0]).ipv6? + command = :ip6tables + family = "inet6" + else + command = :iptables + family = "inet" + end + + if @rule_type == :inbound + chain = vars[:chain_in] + set = "#{vars[:set_sg_in]}-#{@protocol}-n-#{family}" + dir = "src" + else + chain = vars[:chain_out] + set = "#{vars[:set_sg_out]}-#{@protocol}-n-#{family}" + dir = "dst" + end + + if !sets.include?(set) + cmds.add :ipset, "create #{set} hash:net family #{family}" + cmds.add command, "-A #{chain} -p #{@protocol} -m set" \ + " --match-set #{set} #{dir} -j RETURN" + + sets << set + end + cmds.add :ipset, "add -exist #{set} #{n}" end end