Merge "dns_[a|aaaa] filter; use host for lookup"

2018-09-14 16:33:10 +00:00 · 2018-09-14 16:33:10 +00:00 · ffbdc1d937
parent 5d2d1ffed4 11343cc75d
commit ffbdc1d937
3 changed files with 26 additions and 9 deletions
--- a/playbooks/filter_plugins/getaddrinfo.py
+++ b/playbooks/filter_plugins/getaddrinfo.py
@ -13,26 +13,36 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

-import socket
+import subprocess


 class FilterModule(object):

    def dns(self, value, family):
        ret = set()
+        if family == '4':
+            match = 'has address'
+        elif family == '6':
+            match = 'has IPv6 address'
        try:
-            addr_info = socket.getaddrinfo(value, None, family)
-        except socket.gaierror:
+            # Note we use 'host' rather than something like
+            # getaddrinfo so we actually query DNS and don't get any
+            # local-only results from /etc/hosts
+            output = subprocess.check_output(
+                ['/usr/bin/host', value], universal_newlines=True)
+            for line in output.split('\n'):
+                if match in line:
+                    address = line.split()[-1]
+                    ret.add(address)
+        except Exception as e:
            return ret
-        for addr in addr_info:
-            ret.add(addr[4][0])
        return sorted(ret)

    def dns_a(self, value):
-        return self.dns(value, socket.AF_INET)
+        return self.dns(value, '4')

    def dns_aaaa(self, value):
-        return self.dns(value, socket.AF_INET6)
+        return self.dns(value, '6')

    def filters(self):
        return {
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@ -23,7 +23,7 @@
 {% endfor -%}
 {% for host in iptables_allowed_hosts -%}
 {% for addr in host.hostname | dns_aaaa -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
 {% endfor -%}
 {% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@ -83,12 +83,19 @@ def test_iptables(host):
            ' -m tcp --dport 19885 -j ACCEPT')
    assert zuul in rules

-    # Ensure all IPv4 addresses for cacti are allowed
+    # Ensure all IPv4+6 addresses for cacti are allowed
    for ip in get_ips('cacti.openstack.org', socket.AF_INET):
        snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
                ' --dport 161 -j ACCEPT' % ip)
        assert snmp in rules

+    # TODO(ianw) add ip6tables support to testinfra iptables module
+    ip6rules = host.check_output('ip6tables -S')
+    for ip in get_ips('cacti.openstack.org', socket.AF_INET6):
+        snmp = ('-A openstack-INPUT -s %s/128 -p udp -m udp'
+                ' --dport 161 -j ACCEPT' % ip)
+        assert snmp in ip6rules
+

 def test_ntp(host):
    package = host.package("ntp")