Class: Dcmgr::VNet::TaskFactory

Inherits:
Object
  • Object
show all
Extended by:
Helpers::NicHelper
Includes:
Tasks
Defined in:
lib/dcmgr/vnet/factories.rb

Class Method Summary collapse

Methods included from Helpers::NicHelper

clean_mac, find_nic, is_natted?, nic_state, valid_nic?

Class Method Details

.create_drop_tasks_for_vnic(vnic, node) ⇒ Object

Returns the tasks that drop all traffic



64
65
66
67
68
69
 
# File 'lib/dcmgr/vnet/factories.rb', line 64

def self.create_drop_tasks_for_vnic(vnic,node)
  enable_logging = node.manifest.config.packet_drop_log

  #TODO: Add logging to ip drops
  [DropIpFromAnywhere.new, DropArpForwarding.new(enable_logging,"D arp #{vnic[:uuid]}: ")]
end

.create_nat_tasks_for_vnic(vnic, node) ⇒ Object

Creates tasks related to network address translation



72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
 
# File 'lib/dcmgr/vnet/factories.rb', line 72

def self.create_nat_tasks_for_vnic(vnic,node)
  #friend_ips = friends.map {|vnic_map| vnic_map[:ipv4][:address]}
  #ipset_enabled = node.manifest.config.use_ipset
  tasks = []
  
  # Nat tasks
  if is_natted? vnic          
    # Exclude instances in the same security group form using nat
    #if ipset_enabled
      # Not implemented yet
      #tasks << ExcludeFromNatIpSet.new(friend_ips,vnic[:ipv4][:address])
    #else
      #tasks << ExcludeFromNat.new(friend_ips,vnic[:ipv4][:address])
    #end
    
    tasks << StaticNatLog.new(vnic[:ipv4][:address], vnic[:ipv4][:nat_address], "SNAT #{vnic[:uuid]}", "DNAT #{vnic[:uuid]}") if node.manifest.config.packet_drop_log
    tasks << StaticNat.new(vnic[:ipv4][:address], vnic[:ipv4][:nat_address], clean_mac(vnic[:mac_addr]))
  end
  
  tasks << TranslateMetadataAddress.new(vnic[:uuid],vnic[:ipv4][:network][:metadata_server],vnic[:ipv4][:network][:metadata_server_port] || 80) unless vnic[:ipv4][:network][:metadata_server].nil?
  
  tasks
end

.create_tasks_for_isolation(vnic, friends, node) ⇒ Object 



35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
 
# File 'lib/dcmgr/vnet/factories.rb', line 35

def self.create_tasks_for_isolation(vnic,friends,node)
  tasks = []
  enable_logging = node.manifest.config.packet_drop_log
  ipset_enabled = node.manifest.config.use_ipset
  friend_ips = friends.map {|vnic_map| vnic_map[:ipv4][:address]}
  
  tasks << AcceptARPFromFriends.new(vnic[:ipv4][:address],friend_ips,enable_logging,"A arp friend #{vnic[:uuid]}")
  #tasks << AcceptIpFromFriends(friend_ips)
  
  if is_natted? vnic          
    # Friends don't use NAT, friends talk to each other with their REAL ip addresses.
    # It's a heart warming scene, really
    if ipset_enabled
      # Not implemented yet
      #tasks << ExcludeFromNatIpSet.new(friend_ips,vnic[:ipv4][:address])
    else
      tasks << ExcludeFromNat.new(friend_ips,vnic[:ipv4][:address])
    end
  end
  
  tasks
end

.create_tasks_for_secgroup(secgroup) ⇒ Object

Returns the tasks required for applying this security group



59
60
61
 
# File 'lib/dcmgr/vnet/factories.rb', line 59

def self.create_tasks_for_secgroup(secgroup)
  [SecurityGroup.new(secgroup)]
end

.create_tasks_for_vnic(vnic, friends, security_groups, node) ⇒ Object

Returns the netfilter tasks required for this vnic The friends parameter is an array of vnic_maps that should not be isolated from vnic



98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
 
# File 'lib/dcmgr/vnet/factories.rb', line 98

def self.create_tasks_for_vnic(vnic,friends,security_groups,node)
  tasks = []

  host_addr = Isono::Util.default_gw_ipaddr
  enable_logging = node.manifest.config.packet_drop_log
  ipset_enabled = node.manifest.config.use_ipset
  
  # Drop all traffic that isn't explicitely accepted
  tasks += self.create_drop_tasks_for_vnic(vnic,node)
  
  # General data link layer tasks
  tasks << AcceptARPToHost.new(host_addr,vnic[:ipv4][:address],enable_logging,"A arp to_host #{vnic[:uuid]}: ")
  tasks << AcceptARPFromGateway.new(vnic[:ipv4][:network][:ipv4_gw],enable_logging,"A arp from_gw #{vnic[:uuid]}: ") unless vnic[:ipv4][:network][:ipv4_gw].nil?
  tasks << DropIpSpoofing.new(vnic[:ipv4][:address],enable_logging,"D arp sp #{vnic[:uuid]}: ")
  tasks << DropMacSpoofing.new(clean_mac(vnic[:mac_addr]),enable_logging,"D ip sp #{vnic[:uuid]}: ")
  tasks << AcceptArpBroadcast.new(host_addr,enable_logging,"A arp bc #{vnic[:uuid]}: ")
  
  # General ip layer tasks
  tasks << AcceptIcmpRelatedEstablished.new
  tasks << AcceptTcpRelatedEstablished.new
  tasks << AcceptUdpEstablished.new
  tasks << AcceptAllDNS.new
  tasks << AcceptWakameDHCPOnly.new(vnic[:ipv4][:network][:dhcp_server]) unless vnic[:ipv4][:network][:dhcp_server].nil?
  # Accept OUTGOING traffic from instances to anywhere in the network
  #tasks << AcceptIpToAnywhere.new
  
  # VM isolation based
  tasks += self.create_tasks_for_isolation(vnic,friends,node)
  tasks += self.create_nat_tasks_for_vnic(vnic,node)
  
  # Accept ip traffic from the gateway that isn't blocked by other tasks
  tasks << AcceptIpFromGateway.new(vnic[:ipv4][:network][:ipv4_gw]) unless vnic[:ipv4][:network][:ipv4_gw].nil?
  
  # Security group tasks
  security_groups.each { |secgroup|
    tasks += self.create_tasks_for_secgroup(secgroup)
  }
  
  tasks
end