Support writing ACLs
This commit is contained in:
parent
d9d57c015f
commit
c726865b89
|
@ -531,8 +531,8 @@ def cli_network():
|
||||||
@click.command(name='add', short_help='Add a new virtual network to the cluster.')
|
@click.command(name='add', short_help='Add a new virtual network to the cluster.')
|
||||||
@click.option(
|
@click.option(
|
||||||
'-d', '--description', 'description',
|
'-d', '--description', 'description',
|
||||||
default="",
|
required=True,
|
||||||
help='Description of the network; should not contain whitespace.'
|
help='Description of the network; must be unique and not contain whitespace and must be unique.'
|
||||||
)
|
)
|
||||||
@click.option(
|
@click.option(
|
||||||
'-n', '--domain', 'domain',
|
'-n', '--domain', 'domain',
|
||||||
|
@ -552,7 +552,8 @@ def cli_network():
|
||||||
@click.option(
|
@click.option(
|
||||||
'--dhcp/--no-dhcp', 'dhcp_flag',
|
'--dhcp/--no-dhcp', 'dhcp_flag',
|
||||||
is_flag=True,
|
is_flag=True,
|
||||||
default=False,
|
required=True,
|
||||||
|
default=None,
|
||||||
help='Enable/disable DHCP for clients on subnet.'
|
help='Enable/disable DHCP for clients on subnet.'
|
||||||
)
|
)
|
||||||
@click.option(
|
@click.option(
|
||||||
|
@ -587,7 +588,7 @@ def net_add(vni, description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_st
|
||||||
@click.option(
|
@click.option(
|
||||||
'-d', '--description', 'description',
|
'-d', '--description', 'description',
|
||||||
default=None,
|
default=None,
|
||||||
help='Description of the network; should not contain whitespace.'
|
help='Description of the network; must be unique and not contain whitespace.'
|
||||||
)
|
)
|
||||||
@click.option(
|
@click.option(
|
||||||
'-n', '--domain', 'domain',
|
'-n', '--domain', 'domain',
|
||||||
|
@ -606,8 +607,8 @@ def net_add(vni, description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_st
|
||||||
)
|
)
|
||||||
@click.option(
|
@click.option(
|
||||||
'--dhcp/--no-dhcp', 'dhcp_flag',
|
'--dhcp/--no-dhcp', 'dhcp_flag',
|
||||||
default=None,
|
|
||||||
is_flag=True,
|
is_flag=True,
|
||||||
|
default=None,
|
||||||
help='Enable/disable DHCP for clients on subnet.'
|
help='Enable/disable DHCP for clients on subnet.'
|
||||||
)
|
)
|
||||||
@click.option(
|
@click.option(
|
||||||
|
@ -803,7 +804,103 @@ def net_acl():
|
||||||
"""
|
"""
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# pvc network acl add
|
||||||
|
###############################################################################
|
||||||
|
@click.command(name='add', short_help='Add firewall ACL.')
|
||||||
|
@click.option(
|
||||||
|
'--in/--out', 'direction',
|
||||||
|
is_flag=True,
|
||||||
|
required=True,
|
||||||
|
default=None,
|
||||||
|
help='Inbound or outbound ruleset.'
|
||||||
|
)
|
||||||
|
@click.option(
|
||||||
|
'-d', '--description', 'description',
|
||||||
|
required=True,
|
||||||
|
help='Description of the ACL; must be unique and not contain whitespace.'
|
||||||
|
)
|
||||||
|
@click.option(
|
||||||
|
'-r', '--rule', 'rule',
|
||||||
|
required=True,
|
||||||
|
help='NFT firewall rule.'
|
||||||
|
)
|
||||||
|
@click.option(
|
||||||
|
'-o', '--order', 'order',
|
||||||
|
default=None,
|
||||||
|
help='Order of rule in the chain (see "list"); defaults to last.'
|
||||||
|
)
|
||||||
|
@click.argument(
|
||||||
|
'net'
|
||||||
|
)
|
||||||
|
def net_acl_add(net, direction, description, rule, order):
|
||||||
|
"""
|
||||||
|
Add a new NFT firewall rule to network NET; the rule is a literal NFT rule belonging to the forward table for the client network; NET can be either a VNI or description.
|
||||||
|
|
||||||
|
NOTE: All client networks are default-allow in both directions; deny rules MUST be added here at the end of the sequence for a default-deny setup.
|
||||||
|
|
||||||
|
NOTE: Ordering places the rule at the specified ID, not before it; the old rule of that ID and all subsequent rules will be moved down.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
pvc network acl add 1001 --in --rule "tcp dport 22 ct state new accept" --description "ssh-in" --order 3
|
||||||
|
"""
|
||||||
|
|
||||||
|
zk_conn = pvc_common.startZKConnection(zk_host)
|
||||||
|
retcode, retmsg = pvc_network.add_acl(zk_conn, net, direction, description, rule, order)
|
||||||
|
cleanup(retcode, retmsg, zk_conn)
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# pvc network acl remove
|
||||||
|
###############################################################################
|
||||||
|
@click.command(name='remove', short_help='Remove firewall ACL.')
|
||||||
|
@click.option(
|
||||||
|
'--in/--out', 'direction',
|
||||||
|
is_flag=True,
|
||||||
|
required=True,
|
||||||
|
default=None,
|
||||||
|
help='Inbound or outbound rule set.'
|
||||||
|
)
|
||||||
|
@click.argument(
|
||||||
|
'net'
|
||||||
|
)
|
||||||
|
@click.argument(
|
||||||
|
'rule',
|
||||||
|
)
|
||||||
|
def net_acl_remove(net, rule, direction):
|
||||||
|
"""
|
||||||
|
Remove an NFT firewall rule RULE from network NET; RULE can be either a sequence order identifier or description; NET can be either a VNI or description."
|
||||||
|
"""
|
||||||
|
|
||||||
|
zk_conn = pvc_common.startZKConnection(zk_host)
|
||||||
|
retcode, retmsg = pvc_network.remove_acl(zk_conn, net, rule, direction)
|
||||||
|
cleanup(retcode, retmsg, zk_conn)
|
||||||
|
|
||||||
|
###############################################################################
|
||||||
|
# pvc network acl list
|
||||||
|
###############################################################################
|
||||||
|
@click.command(name='list', short_help='List firewall ACLs.')
|
||||||
|
@click.option(
|
||||||
|
'--in/--out', 'direction',
|
||||||
|
is_flag=True,
|
||||||
|
required=True,
|
||||||
|
default=None,
|
||||||
|
help='Inbound or outbound rule set.'
|
||||||
|
)
|
||||||
|
@click.argument(
|
||||||
|
'net'
|
||||||
|
)
|
||||||
|
@click.argument(
|
||||||
|
'limit', default=None, required=False
|
||||||
|
)
|
||||||
|
def net_acl_list(net, limit, direction):
|
||||||
|
"""
|
||||||
|
List all NFT firewall rules in network NET; optionally only match elements matching description regex LIMIT; NET can be either a VNI or description.
|
||||||
|
"""
|
||||||
|
|
||||||
|
zk_conn = pvc_common.startZKConnection(zk_host)
|
||||||
|
retcode, retmsg = pvc_network.get_list_acl(zk_conn, net, limit, direction)
|
||||||
|
cleanup(retcode, retmsg, zk_conn)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -909,6 +1006,10 @@ net_dhcp_static.add_command(net_dhcp_static_add)
|
||||||
net_dhcp_static.add_command(net_dhcp_static_remove)
|
net_dhcp_static.add_command(net_dhcp_static_remove)
|
||||||
net_dhcp_static.add_command(net_dhcp_static_list)
|
net_dhcp_static.add_command(net_dhcp_static_list)
|
||||||
|
|
||||||
|
net_acl.add_command(net_acl_add)
|
||||||
|
net_acl.add_command(net_acl_remove)
|
||||||
|
net_acl.add_command(net_acl_list)
|
||||||
|
|
||||||
cli.add_command(cli_node)
|
cli.add_command(cli_node)
|
||||||
cli.add_command(cli_vm)
|
cli.add_command(cli_vm)
|
||||||
cli.add_command(cli_network)
|
cli.add_command(cli_network)
|
||||||
|
|
|
@ -102,17 +102,27 @@ def getNetworkDescription(zk_conn, network):
|
||||||
|
|
||||||
def getNetworkDHCPLeases(zk_conn, vni):
|
def getNetworkDHCPLeases(zk_conn, vni):
|
||||||
# Get a list of DHCP leases by listing the children of /networks/<vni>/dhcp_leases
|
# Get a list of DHCP leases by listing the children of /networks/<vni>/dhcp_leases
|
||||||
dhcp_leases = zk_conn.get_children('/networks/{}/dhcp_leases'.format(vni))
|
dhcp_leases = zkhandler.listchildren(zk_conn, '/networks/{}/dhcp_leases'.format(vni))
|
||||||
return sorted(dhcp_leases)
|
return sorted(dhcp_leases)
|
||||||
|
|
||||||
def getNetworkDHCPReservations(zk_conn, vni):
|
def getNetworkDHCPReservations(zk_conn, vni):
|
||||||
# Get a list of DHCP reservations by listing the children of /networks/<vni>/dhcp_reservations
|
# Get a list of DHCP reservations by listing the children of /networks/<vni>/dhcp_reservations
|
||||||
dhcp_reservations = zk_conn.get_children('/networks/{}/dhcp_reservations'.format(vni))
|
dhcp_reservations = zkhandler.listchildren(zk_conn, '/networks/{}/dhcp_reservations'.format(vni))
|
||||||
return sorted(dhcp_reservations)
|
return sorted(dhcp_reservations)
|
||||||
|
|
||||||
def getNetworkFirewallRules(zk_conn, vni):
|
def getNetworkACLs(zk_conn, vni, direction):
|
||||||
firewall_rules = zk_conn.get_children('/networks/{}/firewall_rules'.format(vni))
|
# Get the (sorted) list of active ACLs
|
||||||
return None
|
unordered_acl_list = zkhandler.listchildren(zk_conn, '/networks/{}/firewall_rules/{}'.format(vni, direction))
|
||||||
|
ordered_acls = {}
|
||||||
|
full_acl_list = []
|
||||||
|
for acl in unordered_acl_list:
|
||||||
|
order = zkhandler.readdata(zk_conn, '/networks/{}/firewall_rules/{}/{}/order'.format(vni, direction, acl))
|
||||||
|
ordered_acls[order] = acl
|
||||||
|
|
||||||
|
for order in sorted(ordered_acls.keys()):
|
||||||
|
full_acl_list.append(ordered_acls[order])
|
||||||
|
|
||||||
|
return full_acl_list
|
||||||
|
|
||||||
def getNetworkInformation(zk_conn, vni):
|
def getNetworkInformation(zk_conn, vni):
|
||||||
description = zkhandler.readdata(zk_conn, '/networks/{}'.format(vni))
|
description = zkhandler.readdata(zk_conn, '/networks/{}'.format(vni))
|
||||||
|
@ -139,6 +149,12 @@ def getDHCPReservationInformation(zk_conn, vni, mac_address):
|
||||||
timestamp = 'static'
|
timestamp = 'static'
|
||||||
return hostname, ip_address, mac_address, timestamp
|
return hostname, ip_address, mac_address, timestamp
|
||||||
|
|
||||||
|
def getACLInformation(zk_conn, vni, direction, description):
|
||||||
|
order = zkhandler.readdata(zk_conn, '/networks/{}/firewall_rules/{}/{}/order'.format(vni, direction, description))
|
||||||
|
rule = zkhandler.readdata(zk_conn, '/networks/{}/firewall_rules/{}/{}/rule'.format(vni, direction, description))
|
||||||
|
return order, description, rule
|
||||||
|
|
||||||
|
|
||||||
def formatNetworkInformation(zk_conn, vni, long_output):
|
def formatNetworkInformation(zk_conn, vni, long_output):
|
||||||
description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_start, dhcp_end = getNetworkInformation(zk_conn, vni)
|
description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_start, dhcp_end = getNetworkInformation(zk_conn, vni)
|
||||||
|
|
||||||
|
@ -318,7 +334,6 @@ def formatDHCPLeaseList(zk_conn, vni, dhcp_leases_list, reservations=False):
|
||||||
else:
|
else:
|
||||||
hostname[dhcp_lease], ip_address[dhcp_lease], mac_address[dhcp_lease], timestamp[dhcp_lease] = getDHCPLeaseInformation(zk_conn, vni, dhcp_lease)
|
hostname[dhcp_lease], ip_address[dhcp_lease], mac_address[dhcp_lease], timestamp[dhcp_lease] = getDHCPLeaseInformation(zk_conn, vni, dhcp_lease)
|
||||||
|
|
||||||
|
|
||||||
# Determine optimal column widths
|
# Determine optimal column widths
|
||||||
lease_hostname_length = 13
|
lease_hostname_length = 13
|
||||||
lease_ip_address_length = 11
|
lease_ip_address_length = 11
|
||||||
|
@ -328,11 +343,11 @@ def formatDHCPLeaseList(zk_conn, vni, dhcp_leases_list, reservations=False):
|
||||||
_lease_hostname_length = len(hostname[dhcp_lease]) + 1
|
_lease_hostname_length = len(hostname[dhcp_lease]) + 1
|
||||||
if _lease_hostname_length > lease_hostname_length:
|
if _lease_hostname_length > lease_hostname_length:
|
||||||
lease_hostname_length = _lease_hostname_length
|
lease_hostname_length = _lease_hostname_length
|
||||||
# ip_network column
|
# ip_address column
|
||||||
_lease_ip_address_length = len(ip_address[dhcp_lease]) + 1
|
_lease_ip_address_length = len(ip_address[dhcp_lease]) + 1
|
||||||
if _lease_ip_address_length > lease_ip_address_length:
|
if _lease_ip_address_length > lease_ip_address_length:
|
||||||
lease_ip_address_length = _lease_ip_address_length
|
lease_ip_address_length = _lease_ip_address_length
|
||||||
# ip_gateway column
|
# mac_address column
|
||||||
_lease_mac_address_length = len(mac_address[dhcp_lease]) + 1
|
_lease_mac_address_length = len(mac_address[dhcp_lease]) + 1
|
||||||
if _lease_mac_address_length > lease_mac_address_length:
|
if _lease_mac_address_length > lease_mac_address_length:
|
||||||
lease_mac_address_length = _lease_mac_address_length
|
lease_mac_address_length = _lease_mac_address_length
|
||||||
|
@ -379,6 +394,70 @@ def formatDHCPLeaseList(zk_conn, vni, dhcp_leases_list, reservations=False):
|
||||||
output_string = dhcp_lease_list_output_header + '\n' + '\n'.join(sorted(dhcp_lease_list_output))
|
output_string = dhcp_lease_list_output_header + '\n' + '\n'.join(sorted(dhcp_lease_list_output))
|
||||||
return output_string
|
return output_string
|
||||||
|
|
||||||
|
def formatACLList(zk_conn, vni, direction, acl_list):
|
||||||
|
acl_list_output = []
|
||||||
|
order = {}
|
||||||
|
description = {}
|
||||||
|
rule = {}
|
||||||
|
|
||||||
|
# Gather information for printing
|
||||||
|
for acl in acl_list:
|
||||||
|
order[acl], description[acl], rule[acl] = getACLInformation(zk_conn, vni, direction, acl)
|
||||||
|
|
||||||
|
# Determine optimal column widths
|
||||||
|
acl_order_length = 6
|
||||||
|
acl_description_length = 12
|
||||||
|
acl_rule_length = 5
|
||||||
|
for acl in acl_list:
|
||||||
|
# order column
|
||||||
|
_acl_order_length = len(order[acl]) + 1
|
||||||
|
if _acl_order_length > acl_order_length:
|
||||||
|
acl_order_length = _acl_order_length
|
||||||
|
# description column
|
||||||
|
_acl_description_length = len(description[acl]) + 1
|
||||||
|
if _acl_description_length > acl_description_length:
|
||||||
|
acl_description_length = _acl_description_length
|
||||||
|
# rule column
|
||||||
|
_acl_rule_length = len(rule[acl]) + 1
|
||||||
|
if _acl_rule_length > acl_rule_length:
|
||||||
|
acl_rule_length = _acl_rule_length
|
||||||
|
|
||||||
|
# Format the string (header)
|
||||||
|
acl_list_output_header = '{bold}\
|
||||||
|
{acl_order: <{acl_order_length}} \
|
||||||
|
{acl_description: <{acl_description_length}} \
|
||||||
|
{acl_rule: <{acl_rule_length}} \
|
||||||
|
{end_bold}'.format(
|
||||||
|
bold=ansiiprint.bold(),
|
||||||
|
end_bold=ansiiprint.end(),
|
||||||
|
acl_order_length=acl_order_length,
|
||||||
|
acl_description_length=acl_description_length,
|
||||||
|
acl_rule_length=acl_rule_length,
|
||||||
|
acl_order='Order',
|
||||||
|
acl_description='Description',
|
||||||
|
acl_rule='Rule',
|
||||||
|
)
|
||||||
|
|
||||||
|
for acl in acl_list:
|
||||||
|
acl_list_output.append('{bold}\
|
||||||
|
{acl_order: <{acl_order_length}} \
|
||||||
|
{acl_description: <{acl_description_length}} \
|
||||||
|
{acl_rule: <{acl_rule_length}} \
|
||||||
|
{end_bold}'.format(
|
||||||
|
bold='',
|
||||||
|
end_bold='',
|
||||||
|
acl_order_length=acl_order_length,
|
||||||
|
acl_description_length=acl_description_length,
|
||||||
|
acl_rule_length=acl_rule_length,
|
||||||
|
acl_order=order[acl],
|
||||||
|
acl_description=description[acl],
|
||||||
|
acl_rule=rule[acl],
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
|
output_string = acl_list_output_header + '\n' + '\n'.join(sorted(acl_list_output))
|
||||||
|
return output_string
|
||||||
|
|
||||||
def isValidMAC(macaddr):
|
def isValidMAC(macaddr):
|
||||||
allowed = re.compile(r"""
|
allowed = re.compile(r"""
|
||||||
(
|
(
|
||||||
|
@ -409,15 +488,16 @@ def isValidIP(ipaddr):
|
||||||
# Direct functions
|
# Direct functions
|
||||||
#
|
#
|
||||||
def add_network(zk_conn, vni, description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_start, dhcp_end):
|
def add_network(zk_conn, vni, description, domain, ip_network, ip_gateway, dhcp_flag, dhcp_start, dhcp_end):
|
||||||
if description == '':
|
|
||||||
description = vni
|
|
||||||
|
|
||||||
if dhcp_flag and ( not dhcp_start or not dhcp_end ):
|
if dhcp_flag and ( not dhcp_start or not dhcp_end ):
|
||||||
return False, 'ERROR: DHCP start and end addresses are required for a DHCP-enabled network.'
|
return False, 'ERROR: DHCP start and end addresses are required for a DHCP-enabled network.'
|
||||||
|
|
||||||
# Check if a network with this VNI already exists
|
# Check if a network with this VNI or description already exists
|
||||||
if zk_conn.exists('/networks/{}'.format(vni)):
|
if zk_conn.exists('/networks/{}'.format(vni)):
|
||||||
return False, 'ERROR: A network with VNI {} already exists!'.format(vni)
|
return False, 'ERROR: A network with VNI {} already exists!'.format(vni)
|
||||||
|
for network in zkhandler.listchildren(zk_conn, '/networks'):
|
||||||
|
network_description = zkhandler.readdata(zk_conn, '/networks/{}'.format(network))
|
||||||
|
if network_description == description:
|
||||||
|
return False, 'ERROR: A network with description {} already exists!'.format(description)
|
||||||
|
|
||||||
# Add the new network to Zookeeper
|
# Add the new network to Zookeeper
|
||||||
zkhandler.writedata(zk_conn, {
|
zkhandler.writedata(zk_conn, {
|
||||||
|
@ -425,12 +505,14 @@ def add_network(zk_conn, vni, description, domain, ip_network, ip_gateway, dhcp_
|
||||||
'/networks/{}/domain'.format(vni): domain,
|
'/networks/{}/domain'.format(vni): domain,
|
||||||
'/networks/{}/ip_network'.format(vni): ip_network,
|
'/networks/{}/ip_network'.format(vni): ip_network,
|
||||||
'/networks/{}/ip_gateway'.format(vni): ip_gateway,
|
'/networks/{}/ip_gateway'.format(vni): ip_gateway,
|
||||||
'/networks/{}/dhcp_flag'.format(vni): str(dhcp_flag),
|
'/networks/{}/dhcp_flag'.format(vni): dhcp_flag,
|
||||||
'/networks/{}/dhcp_start'.format(vni): dhcp_start,
|
'/networks/{}/dhcp_start'.format(vni): dhcp_start,
|
||||||
'/networks/{}/dhcp_end'.format(vni): dhcp_end,
|
'/networks/{}/dhcp_end'.format(vni): dhcp_end,
|
||||||
'/networks/{}/dhcp_leases'.format(vni): '',
|
'/networks/{}/dhcp_leases'.format(vni): '',
|
||||||
'/networks/{}/dhcp_reservations'.format(vni): '',
|
'/networks/{}/dhcp_reservations'.format(vni): '',
|
||||||
'/networks/{}/firewall_rules'.format(vni): ''
|
'/networks/{}/firewall_rules'.format(vni): '',
|
||||||
|
'/networks/{}/firewall_rules/in'.format(vni): '',
|
||||||
|
'/networks/{}/firewall_rules/out'.format(vni): ''
|
||||||
})
|
})
|
||||||
|
|
||||||
return True, 'Network "{}" added successfully!'.format(description)
|
return True, 'Network "{}" added successfully!'.format(description)
|
||||||
|
@ -448,7 +530,7 @@ def modify_network(zk_conn, vni, **parameters):
|
||||||
if parameters['ip_gateway'] != None:
|
if parameters['ip_gateway'] != None:
|
||||||
zk_data.update({'/networks/{}/ip_gateway'.format(vni): parameters['ip_gateway']})
|
zk_data.update({'/networks/{}/ip_gateway'.format(vni): parameters['ip_gateway']})
|
||||||
if parameters['dhcp_flag'] != None:
|
if parameters['dhcp_flag'] != None:
|
||||||
zk_data.update({'/networks/{}/dhcp_flag'.format(vni): str(parameters['dhcp_flag'])})
|
zk_data.update({'/networks/{}/dhcp_flag'.format(vni): parameters['dhcp_flag']})
|
||||||
if parameters['dhcp_start'] != None:
|
if parameters['dhcp_start'] != None:
|
||||||
zk_data.update({'/networks/{}/dhcp_start'.format(vni): parameters['dhcp_start']})
|
zk_data.update({'/networks/{}/dhcp_start'.format(vni): parameters['dhcp_start']})
|
||||||
if parameters['dhcp_end'] != None:
|
if parameters['dhcp_end'] != None:
|
||||||
|
@ -513,7 +595,7 @@ def remove_dhcp_reservation(zk_conn, network, reservation):
|
||||||
match_description = ''
|
match_description = ''
|
||||||
|
|
||||||
# Check if the reservation matches a description, a mac, or an IP address currently in the database
|
# Check if the reservation matches a description, a mac, or an IP address currently in the database
|
||||||
dhcp_reservations_list = zk_conn.get_children('/networks/{}/dhcp_reservations'.format(net_vni))
|
dhcp_reservations_list = getNetworkDHCPReservations(zk_conn, net_vni)
|
||||||
for macaddr in dhcp_reservations_list:
|
for macaddr in dhcp_reservations_list:
|
||||||
hostname = zkhandler.readdata(zk_conn, '/networks/{}/dhcp_reservations/{}/hostname'.format(net_vni, macaddr))
|
hostname = zkhandler.readdata(zk_conn, '/networks/{}/dhcp_reservations/{}/hostname'.format(net_vni, macaddr))
|
||||||
ipaddress = zkhandler.readdata(zk_conn, '/networks/{}/dhcp_reservations/{}/ipaddr'.format(net_vni, macaddr))
|
ipaddress = zkhandler.readdata(zk_conn, '/networks/{}/dhcp_reservations/{}/ipaddr'.format(net_vni, macaddr))
|
||||||
|
@ -531,6 +613,105 @@ def remove_dhcp_reservation(zk_conn, network, reservation):
|
||||||
|
|
||||||
return True, 'DHCP reservation "{}" removed successfully!'.format(match_description)
|
return True, 'DHCP reservation "{}" removed successfully!'.format(match_description)
|
||||||
|
|
||||||
|
def add_acl(zk_conn, network, direction, description, rule, order):
|
||||||
|
# Validate and obtain standard passed value
|
||||||
|
net_vni = getNetworkVNI(zk_conn, network)
|
||||||
|
if net_vni == None:
|
||||||
|
return False, 'ERROR: Could not find network "{}" in the cluster!'.format(network)
|
||||||
|
|
||||||
|
# Change direction to something more usable
|
||||||
|
if direction:
|
||||||
|
direction = "in"
|
||||||
|
else:
|
||||||
|
direction = "out"
|
||||||
|
|
||||||
|
if zk_conn.exists('/networks/{}/firewall_rules/{}/{}'.format(net_vni, direction, description)):
|
||||||
|
return False, 'ERROR: A rule with description "{}" already exists!'.format(description)
|
||||||
|
|
||||||
|
# Handle reordering
|
||||||
|
full_acl_list = getNetworkACLs(zk_conn, net_vni, direction)
|
||||||
|
acl_list_length = len(full_acl_list)
|
||||||
|
# Set order to len
|
||||||
|
if order == None or int(order) > acl_list_length:
|
||||||
|
order = acl_list_length
|
||||||
|
# Convert passed-in order to an integer
|
||||||
|
else:
|
||||||
|
order = int(order)
|
||||||
|
|
||||||
|
# Insert into the array at order-1
|
||||||
|
full_acl_list.insert(order, description)
|
||||||
|
|
||||||
|
# Update the existing ordering
|
||||||
|
updated_orders = {}
|
||||||
|
for idx, acl in enumerate(full_acl_list):
|
||||||
|
# We haven't added ourselves yet
|
||||||
|
if acl == description:
|
||||||
|
continue
|
||||||
|
|
||||||
|
updated_orders[
|
||||||
|
'/networks/{}/firewall_rules/{}/{}/order'.format(net_vni, direction, acl)
|
||||||
|
] = idx
|
||||||
|
|
||||||
|
if updated_orders:
|
||||||
|
zkhandler.writedata(zk_conn, updated_orders)
|
||||||
|
|
||||||
|
# Add the new rule
|
||||||
|
try:
|
||||||
|
zkhandler.writedata(zk_conn, {
|
||||||
|
'/networks/{}/firewall_rules/{}/{}'.format(net_vni, direction, description): '',
|
||||||
|
'/networks/{}/firewall_rules/{}/{}/order'.format(net_vni, direction, description): order,
|
||||||
|
'/networks/{}/firewall_rules/{}/{}/rule'.format(net_vni, direction, description): rule
|
||||||
|
})
|
||||||
|
except Exception as e:
|
||||||
|
return False, 'ERROR: Failed to write to Zookeeper! Exception: "{}".'.format(e)
|
||||||
|
|
||||||
|
return True, 'Firewall rule "{}" added successfully!'.format(description)
|
||||||
|
|
||||||
|
def remove_acl(zk_conn, network, rule, direction):
|
||||||
|
# Validate and obtain standard passed value
|
||||||
|
net_vni = getNetworkVNI(zk_conn, network)
|
||||||
|
if net_vni == None:
|
||||||
|
return False, 'ERROR: Could not find network "{}" in the cluster!'.format(network)
|
||||||
|
|
||||||
|
# Change direction to something more usable
|
||||||
|
if direction:
|
||||||
|
direction = "in"
|
||||||
|
else:
|
||||||
|
direction = "out"
|
||||||
|
|
||||||
|
match_description = ''
|
||||||
|
|
||||||
|
# Check if the ACL matches a description currently in the database
|
||||||
|
acl_list = getNetworkACLs(zk_conn, net_vni, direction)
|
||||||
|
for acl in acl_list:
|
||||||
|
if acl == rule:
|
||||||
|
match_description = acl
|
||||||
|
|
||||||
|
if not match_description:
|
||||||
|
return False, 'ERROR: No firewall rule exists matching description "{}"!'.format(rule)
|
||||||
|
|
||||||
|
# Remove the entry from zookeeper
|
||||||
|
try:
|
||||||
|
zk_conn.delete('/networks/{}/firewall_rules/{}/{}'.format(net_vni, direction, match_description), recursive=True)
|
||||||
|
except Exception as e:
|
||||||
|
return False, 'ERROR: Failed to write to Zookeeper! Exception: "{}".'.format(e)
|
||||||
|
|
||||||
|
# Update the existing ordering
|
||||||
|
full_acl_list = getNetworkACLs(zk_conn, net_vni, direction)
|
||||||
|
updated_orders = {}
|
||||||
|
for idx, acl in enumerate(full_acl_list):
|
||||||
|
updated_orders[
|
||||||
|
'/networks/{}/firewall_rules/{}/{}/order'.format(net_vni, direction, acl)
|
||||||
|
] = idx
|
||||||
|
|
||||||
|
if updated_orders:
|
||||||
|
try:
|
||||||
|
zkhandler.writedata(zk_conn, updated_orders)
|
||||||
|
except Exception as e:
|
||||||
|
return False, 'ERROR: Failed to write to Zookeeper! Exception: "{}".'.format(e)
|
||||||
|
|
||||||
|
return True, 'Firewall rule "{}" removed successfully!'.format(match_description)
|
||||||
|
|
||||||
def get_info(zk_conn, network, long_output):
|
def get_info(zk_conn, network, long_output):
|
||||||
# Validate and obtain alternate passed value
|
# Validate and obtain alternate passed value
|
||||||
net_vni = getNetworkVNI(zk_conn, network)
|
net_vni = getNetworkVNI(zk_conn, network)
|
||||||
|
@ -615,11 +796,45 @@ def get_list_dhcp(zk_conn, network, limit, only_static=False):
|
||||||
|
|
||||||
return True, ''
|
return True, ''
|
||||||
|
|
||||||
def get_list_firewall_rules(zk_conn, network):
|
def get_list_acl(zk_conn, network, limit, direction):
|
||||||
# Validate and obtain alternate passed value
|
# Validate and obtain alternate passed value
|
||||||
net_vni = getNetworkVNI(zk_conn, network)
|
net_vni = getNetworkVNI(zk_conn, network)
|
||||||
if net_vni == None:
|
if net_vni == None:
|
||||||
return False, 'ERROR: Could not find network "{}" in the cluster!'.format(network)
|
return False, 'ERROR: Could not find network "{}" in the cluster!'.format(network)
|
||||||
|
|
||||||
firewall_rules = getNetworkFirewallRules(zk_conn, net_vni)
|
# Change direction to something more usable
|
||||||
return firewall_rules
|
if direction:
|
||||||
|
direction = "in"
|
||||||
|
else:
|
||||||
|
direction = "out"
|
||||||
|
|
||||||
|
acl_list = []
|
||||||
|
full_acl_list = getNetworkACLs(zk_conn, net_vni, direction)
|
||||||
|
|
||||||
|
if limit:
|
||||||
|
try:
|
||||||
|
# Implcitly assume fuzzy limits
|
||||||
|
if re.match('\^.*', limit) == None:
|
||||||
|
limit = '.*' + limit
|
||||||
|
if re.match('.*\$', limit) == None:
|
||||||
|
limit = limit + '.*'
|
||||||
|
except Exception as e:
|
||||||
|
return False, 'Regex Error: {}'.format(e)
|
||||||
|
|
||||||
|
for idx, acl in enumerate(full_acl_list):
|
||||||
|
valid_acl = False
|
||||||
|
if limit:
|
||||||
|
if re.match(limit, acl) != None:
|
||||||
|
valid_acl = True
|
||||||
|
if re.match(limit, str(idx)) != None:
|
||||||
|
valid_acl = True
|
||||||
|
else:
|
||||||
|
valid_acl = True
|
||||||
|
|
||||||
|
if valid_acl:
|
||||||
|
acl_list.append(acl)
|
||||||
|
|
||||||
|
output_string = formatACLList(zk_conn, net_vni, direction, acl_list)
|
||||||
|
click.echo(output_string)
|
||||||
|
|
||||||
|
return True, ''
|
||||||
|
|
Loading…
Reference in New Issue