Loading Specific Iptables in install hook

This commit is contained in:
Bilal Baqar 2016-03-10 14:39:19 -08:00
parent eb3a564786
commit bf85578035
3 changed files with 52 additions and 3 deletions

View File

@ -30,7 +30,8 @@ from pg_gw_utils import (
remove_iovisor,
ensure_mtu,
add_lcm_key,
fabric_interface_changed
fabric_interface_changed,
load_iptables,
)
hooks = Hooks()
@ -42,6 +43,7 @@ def install():
'''
Install hook is run when the charm is first deployed on a node.
'''
load_iptables()
configure_sources(update=True)
pkgs = determine_packages()
for pkg in pkgs:

View File

@ -22,7 +22,8 @@ from charmhelpers.core.host import (
service_stop,
)
from charmhelpers.fetch import (
apt_cache
apt_cache,
apt_install
)
from charmhelpers.contrib.storage.linux.ceph import modprobe
from charmhelpers.core.host import set_nic_mtu
@ -143,7 +144,6 @@ def restart_pg():
'''
service_stop('plumgrid')
time.sleep(30)
_exec_cmd(cmd=['iptables', '-F'])
service_start('plumgrid')
time.sleep(30)
@ -327,3 +327,49 @@ def add_lcm_key():
fa.write('\n')
fa.close()
return 1
def load_iptables():
network = get_cidr_from_iface(get_mgmt_interface())
if network:
_exec_cmd(['sudo', 'iptables', '-A', 'INPUT', '-p', 'tcp',
'-j', 'ACCEPT', '-s', network, '-d',
network, '-m', 'state', '--state', 'NEW'])
_exec_cmd(['sudo', 'iptables', '-A', 'INPUT', '-p', 'udp', '-j',
'ACCEPT', '-s', network, '-d', network,
'-m', 'state', '--state', 'NEW'])
_exec_cmd(['sudo', 'iptables', '-I', 'INPUT', '-s', network,
'-d', '224.0.0.18/32', '-j', 'ACCEPT'])
_exec_cmd(['sudo', 'iptables', '-I', 'INPUT', '-p', 'vrrp', '-j',
'ACCEPT'])
_exec_cmd(['sudo', 'iptables', '-A', 'INPUT', '-p', 'tcp', '-j',
'ACCEPT', '-d', config('plumgrid-virtual-ip'), '-m',
'state', '--state', 'NEW'])
apt_install('iptables-persistent')
def get_cidr_from_iface(interface):
if not interface:
return None
apt_install('ohai')
try:
os_info = subprocess.check_output(['ohai', '-l', 'fatal'])
except OSError:
log('Unable to get operating system information')
return None
try:
os_info_json = json.loads(os_info)
except ValueError:
log('Unable to determine network')
return None
device = os_info_json['network']['interfaces'].get(interface)
if device is not None:
if device.get('routes'):
routes = device['routes']
for net in routes:
if 'scope' in net:
return net.get('destination')
else:
return None
else:
return None

View File

@ -30,6 +30,7 @@ TO_PATCH = [
'ensure_mtu',
'add_lcm_key',
'determine_packages',
'load_iptables'
]
NEUTRON_CONF_DIR = "/etc/neutron"