Class: Dcmgr::VNet::TaskFactory
- Inherits:
-
Object
- Object
- Dcmgr::VNet::TaskFactory
- Extended by:
- Helpers::NicHelper
- Includes:
- Tasks
- Defined in:
- lib/dcmgr/vnet/factories.rb
Class Method Summary collapse
-
.create_drop_tasks_for_vnic(vnic, node) ⇒ Object
Returns the tasks that drop all traffic.
-
.create_nat_tasks_for_vnic(vnic, node) ⇒ Object
Creates tasks related to network address translation.
- .create_tasks_for_isolation(vnic, friends, node) ⇒ Object
-
.create_tasks_for_secgroup(secgroup) ⇒ Object
Returns the tasks required for applying this security group.
-
.create_tasks_for_vnic(vnic, friends, security_groups, node) ⇒ Object
Returns the netfilter tasks required for this vnic The friends parameter is an array of vnic_maps that should not be isolated from vnic.
Methods included from Helpers::NicHelper
clean_mac, find_nic, is_natted?, nic_state, valid_nic?
Class Method Details
.create_drop_tasks_for_vnic(vnic, node) ⇒ Object
Returns the tasks that drop all traffic
64 65 66 67 68 69 |
# File 'lib/dcmgr/vnet/factories.rb', line 64 def self.create_drop_tasks_for_vnic(vnic,node) enable_logging = node.manifest.config.packet_drop_log #TODO: Add logging to ip drops [DropIpFromAnywhere.new, DropArpForwarding.new(enable_logging,"D arp #{vnic[:uuid]}: ")] end |
.create_nat_tasks_for_vnic(vnic, node) ⇒ Object
Creates tasks related to network address translation
72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 |
# File 'lib/dcmgr/vnet/factories.rb', line 72 def self.create_nat_tasks_for_vnic(vnic,node) #friend_ips = friends.map {|vnic_map| vnic_map[:ipv4][:address]} #ipset_enabled = node.manifest.config.use_ipset tasks = [] # Nat tasks if is_natted? vnic # Exclude instances in the same security group form using nat #if ipset_enabled # Not implemented yet #tasks << ExcludeFromNatIpSet.new(friend_ips,vnic[:ipv4][:address]) #else #tasks << ExcludeFromNat.new(friend_ips,vnic[:ipv4][:address]) #end tasks << StaticNatLog.new(vnic[:ipv4][:address], vnic[:ipv4][:nat_address], "SNAT #{vnic[:uuid]}", "DNAT #{vnic[:uuid]}") if node.manifest.config.packet_drop_log tasks << StaticNat.new(vnic[:ipv4][:address], vnic[:ipv4][:nat_address], clean_mac(vnic[:mac_addr])) end tasks << TranslateMetadataAddress.new(vnic[:uuid],vnic[:ipv4][:network][:metadata_server],vnic[:ipv4][:network][:metadata_server_port] || 80) unless vnic[:ipv4][:network][:metadata_server].nil? tasks end |
.create_tasks_for_isolation(vnic, friends, node) ⇒ Object
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 |
# File 'lib/dcmgr/vnet/factories.rb', line 35 def self.create_tasks_for_isolation(vnic,friends,node) tasks = [] enable_logging = node.manifest.config.packet_drop_log ipset_enabled = node.manifest.config.use_ipset friend_ips = friends.map {|vnic_map| vnic_map[:ipv4][:address]} tasks << AcceptARPFromFriends.new(vnic[:ipv4][:address],friend_ips,enable_logging,"A arp friend #{vnic[:uuid]}") #tasks << AcceptIpFromFriends(friend_ips) if is_natted? vnic # Friends don't use NAT, friends talk to each other with their REAL ip addresses. # It's a heart warming scene, really if ipset_enabled # Not implemented yet #tasks << ExcludeFromNatIpSet.new(friend_ips,vnic[:ipv4][:address]) else tasks << ExcludeFromNat.new(friend_ips,vnic[:ipv4][:address]) end end tasks end |
.create_tasks_for_secgroup(secgroup) ⇒ Object
Returns the tasks required for applying this security group
59 60 61 |
# File 'lib/dcmgr/vnet/factories.rb', line 59 def self.create_tasks_for_secgroup(secgroup) [SecurityGroup.new(secgroup)] end |
.create_tasks_for_vnic(vnic, friends, security_groups, node) ⇒ Object
Returns the netfilter tasks required for this vnic The friends parameter is an array of vnic_maps that should not be isolated from vnic
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
# File 'lib/dcmgr/vnet/factories.rb', line 98 def self.create_tasks_for_vnic(vnic,friends,security_groups,node) tasks = [] host_addr = Isono::Util.default_gw_ipaddr enable_logging = node.manifest.config.packet_drop_log ipset_enabled = node.manifest.config.use_ipset # Drop all traffic that isn't explicitely accepted tasks += self.create_drop_tasks_for_vnic(vnic,node) # General data link layer tasks tasks << AcceptARPToHost.new(host_addr,vnic[:ipv4][:address],enable_logging,"A arp to_host #{vnic[:uuid]}: ") tasks << AcceptARPFromGateway.new(vnic[:ipv4][:network][:ipv4_gw],enable_logging,"A arp from_gw #{vnic[:uuid]}: ") unless vnic[:ipv4][:network][:ipv4_gw].nil? tasks << DropIpSpoofing.new(vnic[:ipv4][:address],enable_logging,"D arp sp #{vnic[:uuid]}: ") tasks << DropMacSpoofing.new(clean_mac(vnic[:mac_addr]),enable_logging,"D ip sp #{vnic[:uuid]}: ") tasks << AcceptArpBroadcast.new(host_addr,enable_logging,"A arp bc #{vnic[:uuid]}: ") # General ip layer tasks tasks << .new tasks << .new tasks << AcceptUdpEstablished.new tasks << AcceptAllDNS.new tasks << AcceptWakameDHCPOnly.new(vnic[:ipv4][:network][:dhcp_server]) unless vnic[:ipv4][:network][:dhcp_server].nil? # Accept OUTGOING traffic from instances to anywhere in the network #tasks << AcceptIpToAnywhere.new # VM isolation based tasks += self.create_tasks_for_isolation(vnic,friends,node) tasks += self.create_nat_tasks_for_vnic(vnic,node) # Accept ip traffic from the gateway that isn't blocked by other tasks tasks << AcceptIpFromGateway.new(vnic[:ipv4][:network][:ipv4_gw]) unless vnic[:ipv4][:network][:ipv4_gw].nil? # Security group tasks security_groups.each { |secgroup| tasks += self.create_tasks_for_secgroup(secgroup) } tasks end |