7313N/A# Copyright 2012, Nachi Ueno, NTT MCL, Inc. 7313N/A# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. 7313N/A# Licensed under the Apache License, Version 2.0 (the "License"); you may 7313N/A# not use this file except in compliance with the License. You may obtain 7313N/A# Unless required by applicable law or agreed to in writing, software 7313N/A# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 7313N/A# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the 7313N/A# License for the specific language governing permissions and limitations 7313N/A """Driver which enforces security groups through PF rules. 7313N/A Please look at neutron.agent.firewall.FirewallDriver for more information 7313N/A on how the methods below are called from the Neutron Open vSwitch agent. It 7313N/A all starts at prepare_port_filter() and then _setup_pf_rules() has all the 7313N/A PF based logic to add correct rules on guest instance's port. 7313N/A # List of port which has security group 7313N/A # List of security group rules for ports residing on this host 7313N/A # List of security group member ips for ports residing on this host 7313N/A # Every PF rule needs to be labeled so that we can later kill the state 7313N/A # associated with that rule (using pfctl -k label -k 110). It is hard 7313N/A # to come up with a meaningfully named label for each PF rule, so we 7313N/A # are resorting to numbers here. 7313N/A """We never call this method 7313N/A It exists here to override abstract method of parent abstract class. 7313N/A # TODO(gmoodalb): Extend this later to optimize handling of security 7313N/A # we need to remove both ingress and egress 7313N/A # Fixed rules for traffic sourced from unspecified addresses: 0.0.0.0 7313N/A # Allow dhcp client discovery and request 7313N/A 'to 255.255.255.255/32 port 67 label "%s"' %
7313N/A # Allow neighbor solicitation and multicast listener discovery 7313N/A # from the unspecified address for duplicate address detection 7313N/A 'from ::/128 to ff02::/16 icmp6-type %s ' 7313N/A # Fixed rules for traffic after source address is verified 7313N/A # Allow dhcp client renewal and rebinding 7313N/A # Drop Router Advts from the port. 7313N/A 'icmp6-type %s label "%s"' %
7313N/A # Allow IPv6 DHCP Client traffic 7313N/A 'from port 547 to port 546 label "%s"' %
7313N/A # Allow multicast listener, neighbor solicitation and 7313N/A # neighbor advertisement into the instance 7313N/A 'icmp6-type %s label "%s"' %
7313N/A """Select rules from the security groups the port is member of.""" 7313N/A """Expand a remote group rule to rule per remote group IP.""" 7313N/A # self.pf.add_nested_anchor_rule(None, anchor_name, anchor_option) 7313N/A ''' Add a generic block everything rule. The default security group 7313N/A in OpenStack adds 'pass all egress traffic' and prevents all the 7313N/A # select rules for current port and direction 7313N/A # split groups by ip version 7313N/A # for ipv4, 'pass' will be used 7313N/A # for ipv6, 'pass inet6' will be used 7313N/A # include IPv4 and IPv6 iptable rules from security group 7313N/A # we need to convert it into a cidr