Merge "dns_[a|aaaa] filter; use host for lookup"
This commit is contained in:
commit
ffbdc1d937
|
@ -13,26 +13,36 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import socket
|
||||
import subprocess
|
||||
|
||||
|
||||
class FilterModule(object):
|
||||
|
||||
def dns(self, value, family):
|
||||
ret = set()
|
||||
if family == '4':
|
||||
match = 'has address'
|
||||
elif family == '6':
|
||||
match = 'has IPv6 address'
|
||||
try:
|
||||
addr_info = socket.getaddrinfo(value, None, family)
|
||||
except socket.gaierror:
|
||||
# Note we use 'host' rather than something like
|
||||
# getaddrinfo so we actually query DNS and don't get any
|
||||
# local-only results from /etc/hosts
|
||||
output = subprocess.check_output(
|
||||
['/usr/bin/host', value], universal_newlines=True)
|
||||
for line in output.split('\n'):
|
||||
if match in line:
|
||||
address = line.split()[-1]
|
||||
ret.add(address)
|
||||
except Exception as e:
|
||||
return ret
|
||||
for addr in addr_info:
|
||||
ret.add(addr[4][0])
|
||||
return sorted(ret)
|
||||
|
||||
def dns_a(self, value):
|
||||
return self.dns(value, socket.AF_INET)
|
||||
return self.dns(value, '4')
|
||||
|
||||
def dns_aaaa(self, value):
|
||||
return self.dns(value, socket.AF_INET6)
|
||||
return self.dns(value, '6')
|
||||
|
||||
def filters(self):
|
||||
return {
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
{% endfor -%}
|
||||
{% for host in iptables_allowed_hosts -%}
|
||||
{% for addr in host.hostname | dns_aaaa -%}
|
||||
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
|
||||
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
|
||||
{% endfor -%}
|
||||
{% endfor -%}
|
||||
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
|
|
|
@ -83,12 +83,19 @@ def test_iptables(host):
|
|||
' -m tcp --dport 19885 -j ACCEPT')
|
||||
assert zuul in rules
|
||||
|
||||
# Ensure all IPv4 addresses for cacti are allowed
|
||||
# Ensure all IPv4+6 addresses for cacti are allowed
|
||||
for ip in get_ips('cacti.openstack.org', socket.AF_INET):
|
||||
snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
|
||||
' --dport 161 -j ACCEPT' % ip)
|
||||
assert snmp in rules
|
||||
|
||||
# TODO(ianw) add ip6tables support to testinfra iptables module
|
||||
ip6rules = host.check_output('ip6tables -S')
|
||||
for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
|
||||
snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
|
||||
' --dport 161 -j ACCEPT' % ip)
|
||||
assert snmp in ip6rules
|
||||
|
||||
|
||||
def test_ntp(host):
|
||||
package = host.package("ntp")
|
||||
|
|
Loading…
Reference in New Issue